ssl handshake failure.

vipin <>
Wed Dec 21 12:15:10 CET 2005


Hi folks,

     I'm facing the following error when a C-client tries to connect an 
Erlang server.

on Client Side :
*************************************************************
$ ./cclient 202.62.79.138 5000
SSL connection using DES-CBC3-MD5
Details of Server certificate:
         subject: /CN=server/OU=Erlang OTP/O=Ericsson 
AB/C=SE/L=Stockholm/emailAddress=
         issuer: /CN=otpCA/OU=Erlang OTP/O=Ericsson 
AB/C=SE/L=Stockholm/emailAddress=
Status of the cert = 0
1962:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake 
failure:s2_pkt.c:428:
*************************************************************

Where as server stucks on ssl:accept(LSock).

Here is the server code :
================
%%%%%%%%%%%%%%%%%%%%%%%%%%
start_server() ->
    application:start(ssl),
    ssl:seed("pouslkjdfskdnfsowewasd"),
    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
    io:format("Dir : ~p~n",[Dir]),
    Role="server",
    io:format("Before ssl:listen~n"),
    case ssl:listen(?server_port, [binary, {packet, 0},{active, false}, 
{verify, 2}, {depth, 2},
    {cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
    {certfile, filename:join([Dir, Role, "cert.pem"])},
     {keyfile, filename:join([Dir, Role, "key.pem"])}]) of
            {ok, ListenSock} ->
               spawn(tcpserver, listen_request, [ListenSock]);
              Other ->
                io:format("Can't listen to socket ~p~n", [Other])
    end.

listen_request(LSock)->
   io:format("in listen request , LSock : ~p~n",[LSock]),
   case ssl:accept(LSock) of
    {ok, Socket} ->
                      Pid= spawn(tcpserver, logon_client,[Socket]),
              listen_request(LSock);
        {error, Reason} ->
             io:format("Error : Reason - ~p~n",[Reason]),
                     listen_request(LSock)
    end.

%%%%%%%%%%%%%%%%%%%%%%%%%%

And Client code
===========
///////////////////////////////////////////////////////////////////////////////
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); 
exit(2); }

void init_ssl (void){
    SSLeay_add_ssl_algorithms ();
    meth = SSLv2_client_method ();
    SSL_load_error_strings ();
    ctx = SSL_CTX_new (meth);
    CHK_NULL (ctx);
}

int open_conxn_to_serv (void){
    int sock = socket (AF_INET, SOCK_STREAM, 0);
    struct sockaddr_in serv_addr;
    int ret_conn = 0;
    X509*    server_cert;
    char* str;
   
    if (sock < 0){
        printf("sock < 0\n");
        return (sock);
    }
   
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = inet_addr (serv_ip);
    serv_addr.sin_port = htons (serv_port);
    ret_conn = connect (sock, (struct sockaddr *) &serv_addr, sizeof 
(serv_addr));
   
    if (ret_conn < 0){
        printf("ret_conn < 0\n");
        perror ("open_conxn_to_server:Failed to connect :...");
        close (sock);
        return (-1);
    }
   
    serv_ssl = SSL_new (ctx);
    CHK_NULL (serv_ssl);
    SSL_set_fd (serv_ssl, sock);
    SSL_connect (serv_ssl);                    
    CHK_SSL(ret_conn);

    server_cert = SSL_get_peer_certificate (serv_ssl);      
    CHK_NULL(server_cert);

    printf ("Details of Server certificate:\n");
    str = X509_NAME_oneline (X509_get_subject_name(server_cert),0,0);
    CHK_NULL(str);
    printf ("\t subject: %s\n", str);
    free (str);
    str = X509_NAME_oneline (X509_get_issuer_name(server_cert),0,0);
    CHK_NULL(str);
    printf ("\t issuer: %s\n", str);
    free (str);


    X509_STORE_CTX ctx;
    int i;

    X509_STORE_CTX_init(&ctx,serv_ssl->ctx->cert_store, server_cert, NULL);

    if (SSL_get_verify_depth(serv_ssl) >= 0)
                X509_STORE_CTX_set_depth(&ctx, 
SSL_get_verify_depth(serv_ssl));

    
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),serv_ssl);

    if(serv_ssl->server)
        i = X509_PURPOSE_SSL_CLIENT;
    else
        i = X509_PURPOSE_SSL_SERVER;

    i=X509_verify_cert(&ctx);
   
    printf("Status of the cert = %d \n", i);
   
    X509_free (server_cert);   

    return (sock);
  }
///////////////////////////////////////////////////////////////////////////////


Is it a right approach to get a SSL connection ? Or do i making any 
mistake ?
Suggestions and comments would be welcome.

Cheers,
Vipin



More information about the erlang-questions mailing list